This is really bad and scary news. The F.B.I. Says the Military Had Bogus Computer Gear.
[T]he… sinister specter of an electronic Trojan horse, lurking in the circuitry of a computer or a network router and allowing attackers clandestine access or control, was raised again recently by the F.B.I. and the Pentagon.
The new law enforcement and national security concerns were prompted by Operation Cisco Raider, which has led to 15 criminal cases involving counterfeit products bought in part by military agencies, military contractors and electric power companies in the United States. Over the two-year operation, 36 search warrants have been executed, resulting in the discovery of 3,500 counterfeit Cisco network components.
Cisco routers are everywhere. According to Cisco’s web site, “Cisco is the leading supplier of networking equipment and network management for the Internet.” The likelihood that you received this web page over one or more Cisco routers is extremely high.
Also, what if this wasn’t just counterfeiting?
The F.B.I. is still not certain whether the ring’s actions were for profit or part of a state-sponsored intelligence effort.
It’s one thing if largely used networking components get compromised through a flaw to allow “back door”, privilege escalation, or other nefarious access to data which flows across them. It’s an entirely different thing if these devices were (re-)engineered with villainous intentions. Such additions could be nearly impossible to detect. One more quote from the NY Times story:
The threat was demonstrated in April when a team of computer scientists from the University of Illinois presented a paper at a technical conference in San Francisco detailing how they had modified a Sun Microsystems SPARC microprocessor by altering the data file on a chip with nearly 1.8 million circuits used in automated manufacturing equipment…
“It’s very difficult to detect and discover these issues,” said Ted Vucurevich, the chief technology officer of Cadence Design Systems, a company that provides design tools for chip makers. Modern integrated circuits have billions of components, he said: “Adding a small number that do particular functions in particular cases is incredibly hard to detect.”
If this doesn’t give you nightmares, it should.